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This listing of claims replaces all prior versions, and 
listings of claims in the instant application: 

Listing of Claims: 

1. (Currently amended) A method comprising: 
detecting an attack by malicious code on a first computer 

system; 

extracting a malicious code signature from said malicious 
code comprising: 

locating a caller's address of said malicious code in 
a memory of said first computer system; and 

extracting a specific number of bytes backwards from 
said caller's address ; 

creating an extracted malicious code packet including said 
malicious code signature; and 

i sending said extracted malicious code packet from' said 
first computer system to a second computer system. 

2. (Original) The method of Claim 1 wherein prior to 
said sending, said method further comprising determining that 
said extracted malicious code packet is a new extracted 
malicious code packet. 

3. (Original) The method of Claim 1 wherein prior to 
said sending, said method further comprising determining that a 
maximum number of extracted malicious code packets have not 
been sent from said first computer system. 

4. (Original) The method of Claim 1 wherein said 
extracted malicious code packet is sent from said first 
computer system to said second computer system on a secure 
channel . 
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(Currently amended) A method comprising: 
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detecting an attack by malicious code on a first computer 
system; 

creating an extracted malicious code packet including 
parameters associated with said malicious code , said parameters 
being selected from the group consisting of a caller's address 
of said malicious code in a memory of said first computer 
system, a name of a process in which said attack took place, 
ports connected to said process, service pack levels, operating 
system information, patch level information, and combinations 
thereof; and 

sending said extracted malicious code packet from said 
first computer system to a second computer system. 

6.. (Original) The method of Claim 5 wherein prior to 
said sending, said method further comprising determining, that 
said extracted malicious code packet is a new extracted 
malicious code packet. . 

7. (Original) The method of Claim 5 wherein prior to 
said sending, said method further comprising determining that a 
maximum number of extracted malicious code packets have not 
been sent from said first computer system. 

8. (Original) The method of Claim 5 wherein said 
extracted malicious code packet is sent from said first 
computer system to said second computer system on a secure 
channel . 



9. (Original) The method of Claim 5 further comprising 
determining whether said malicious code is sendable. 



10. (Original) The method of Claim 9 wherein upon a 
determination that said malicious code is sendable, said method 
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further comprising extracting said malicious code from a memory 
location. 



11. (Original) The method of Claim 10 wherein said 
extracting comprises copying or cutting said malicious code 
from said memory location. 

12. (Original) The method of Claim 10 further comprising 
appending said parameters to said malicious code after said 
extraction. 



13. (Original) The method of Claim 9 wherein upon a 
determination that said malicious code is not sendable, said 
method further comprising extracting a snippet of said 
malicious code from a memory location. 

14. (Original) The method of Claim 13 wherein said 
extracting comprises copying or cutting a portion of said 
malicious code from said memory location. 

15. (Original) The method of Claim 13 further comprising 
appending said parameters to said snippet after said 
extraction. 
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16. (Currently amended) A method comprising: 
receiving an extracted malicious code packet from a first 
computer system with a second computer syste m, said first 
computer system being a host computer system and said second 
computer system being a local analysis center computer system ; 
and 

determining whether an attack threshold has been exceeded 
based upon said extracted malicious code packet , wherein upon a 
determination that an attack threshold has been exceeded, said 
method further comprising delivering a signature update 
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comprising a malicious code signature to an intrusion detection 
system . 

17-18. (Canceled) 

19. (Currently amended) The method of Claim 4r3— 16 
further comprising determining that a maximum number of 
signature updates have not been sent prior to said delivering a 
signature update. 

20. (Currently amended) The method of Claim ^7—16 
further comprising creating said signature update. 

21. (Original) The method of Claim 16 wherein said 
extracted malicious code packet includes a malicious code 
signature, and wherein upon a determination that said attack 
threshold has been exceeded, said method further comprising 
delivering said malicious code signature to a global analysis 
center. 

22. (Original) The method of Claim 21 further comprising 
determining that a maximum number of malicious code signatures 
have not been sent prior to said delivering said malicious code 
signature . 

23. (Original) The method of Claim 21 further comprising 
extracting said malicious code signature from said extracted 
malicious code packet. 
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24. (Original) The method of Claim 16 further comprising 
determining whether said extracted malicious code packet 
includes a malicious code signature, wherein upon a 
determination that said extracted malicious code packet does 
not include a malicious code signature, said method further 
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comprising extracting a malicious code signature from said 
extracted malicious code packet. 

25. (Original) The method of Claim 16 wherein upon a 
determination that said attack threshold has been exceeded, 
said method further comprising delivering said extracted 
malicious code packet to a global analysis center. 

26. (Original) The method of Claim 25 further comprising 
determining that a maximum number of extracted malicious code 
packets have not been sent prior to said delivering said 
extracted malicious code packet. 

27. (Currently amended) A computer system comprising: 
an intrusion prevention application for detecting an 

attack by malicious code on a first computer system; 

a host signature extraction application for extracting a 
malicious code signature from said malicious code comprising: 

locating a caller 7 s address of said malicious code in 
a memory of said first computer system; and 

extracting a specific number of bytes backwards from 
said callers address ; 

said host signature extraction application further for 
creating an extracted malicious code packet including said 
malicious code signature; and 

said host signature extraction application further for 
sending said extracted malicious code packet from said first 
computer system to a second computer system. 
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28. (Currently amended) A computer system comprising: 
an intrusion prevention application for detecting an 

attack by malicious code on a first computer system; 

a host signature extraction application for creating an 

extracted malicious code packet including parameters associated 



Page 7 of 15 



Appl. No. 10/611,472 

Amdt. dated May 31, 2007 

Reply to Office Action of May 4, 2007 



with said malicious code , said parameters being selected from 
the group consisting of a callers address of said malicious 
code in a memory of said first computer system, a name of a 
process in which said attack took place, ports connected to 
said process, service pack levels, operating system 
information, patch level information, and combinations thereof ; 
and 

said host signature extraction application further for 
sending said extracted malicious code packet from said first 
computer system to a second computer system. 

29. (Currently amended) A computer system comprising: 

a local analysis center signature extraction application 
for receiving an extracted malicious code packet from a first 
computer system with a second computer syste m, said first 
computer system being a host computer system and said second 
computer system being a local analysis center computer system ; 
and 

said local analysis center signature extraction 
application further for determining whether an attack threshold 
has been exceeded based upon said extracted malicious code 
packet , wherein upon a determination that an attack threshold 
has been exceeded, said method further comprising delivering a 
signature update comprising a malicious code signature to an 
intrusion detection system . 

30. (New) The method of Claim 1 wherein the specific 
number of bytes is 32 bytes. 

31. (New) The method of Claim 9 wherein said malicious 
code is sendable if a size of said malicious code is 8 KB or 
less . 
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32. (New) The method of Claim 13 wherein said extracting 
a snippet comprises : 

locating a caller's address of said malicious code; and 
extracting a specific number of bytes above and below said 
caller's address. 

33. (New) The method of Claim 32 wherein said extracting 
a specific number of bytes above and below said caller's 
address comprises extracting 4 KB above said caller's address 
and 4 KB below said caller's address. 
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